From 9216a6b6805e6eb48a65a22f2682e905c8b91abe Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Mar 03 2023 11:25:16 +0000 Subject: usb: gadget: u_serial: Add null pointer check in gserial_resume (bsc#1012628). --- diff --git a/patches.kernel.org/6.2.2-013-usb-gadget-u_serial-Add-null-pointer-check-in-g.patch b/patches.kernel.org/6.2.2-013-usb-gadget-u_serial-Add-null-pointer-check-in-g.patch new file mode 100644 index 0000000..ee3fef2 --- /dev/null +++ b/patches.kernel.org/6.2.2-013-usb-gadget-u_serial-Add-null-pointer-check-in-g.patch @@ -0,0 +1,91 @@ +From: Prashanth K +Date: Mon, 13 Feb 2023 23:00:38 +0530 +Subject: [PATCH] usb: gadget: u_serial: Add null pointer check in + gserial_resume +References: bsc#1012628 +Patch-mainline: 6.2.2 +Git-commit: 5ec63fdbca604568890c577753c6f66c5b3ef0b5 + +commit 5ec63fdbca604568890c577753c6f66c5b3ef0b5 upstream. + +Consider a case where gserial_disconnect has already cleared +gser->ioport. And if a wakeup interrupt triggers afterwards, +gserial_resume gets called, which will lead to accessing of +gser->ioport and thus causing null pointer dereference.Add +a null pointer check to prevent this. + +Added a static spinlock to prevent gser->ioport from becoming +null after the newly added check. + +Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks") +Cc: stable +Signed-off-by: Prashanth K +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/1676309438-14922-1-git-send-email-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/usb/gadget/function/u_serial.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c +index 840626e0..a0ca47fb 100644 +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -82,6 +82,9 @@ + #define WRITE_BUF_SIZE 8192 /* TX only */ + #define GS_CONSOLE_BUF_SIZE 8192 + ++/* Prevents race conditions while accessing gser->ioport */ ++static DEFINE_SPINLOCK(serial_port_lock); ++ + /* console info */ + struct gs_console { + struct console console; +@@ -1375,8 +1378,10 @@ void gserial_disconnect(struct gserial *gser) + if (!port) + return; + ++ spin_lock_irqsave(&serial_port_lock, flags); ++ + /* tell the TTY glue not to do I/O here any more */ +- spin_lock_irqsave(&port->port_lock, flags); ++ spin_lock(&port->port_lock); + + gs_console_disconnect(port); + +@@ -1391,7 +1396,8 @@ void gserial_disconnect(struct gserial *gser) + tty_hangup(port->port.tty); + } + port->suspended = false; +- spin_unlock_irqrestore(&port->port_lock, flags); ++ spin_unlock(&port->port_lock); ++ spin_unlock_irqrestore(&serial_port_lock, flags); + + /* disable endpoints, aborting down any active I/O */ + usb_ep_disable(gser->out); +@@ -1425,10 +1431,19 @@ EXPORT_SYMBOL_GPL(gserial_suspend); + + void gserial_resume(struct gserial *gser) + { +- struct gs_port *port = gser->ioport; ++ struct gs_port *port; + unsigned long flags; + +- spin_lock_irqsave(&port->port_lock, flags); ++ spin_lock_irqsave(&serial_port_lock, flags); ++ port = gser->ioport; ++ ++ if (!port) { ++ spin_unlock_irqrestore(&serial_port_lock, flags); ++ return; ++ } ++ ++ spin_lock(&port->port_lock); ++ spin_unlock(&serial_port_lock); + port->suspended = false; + if (!port->start_delayed) { + spin_unlock_irqrestore(&port->port_lock, flags); +-- +2.35.3 + diff --git a/series.conf b/series.conf index 32dd479..7f3b482 100644 --- a/series.conf +++ b/series.conf @@ -52,6 +52,7 @@ patches.kernel.org/6.2.2-010-wifi-rtw88-usb-drop-now-unnecessary-URB-size-ch.patch patches.kernel.org/6.2.2-011-usb-dwc3-pci-add-support-for-the-Intel-Meteor-L.patch patches.kernel.org/6.2.2-012-USB-serial-option-add-support-for-VW-Skoda-Cars.patch + patches.kernel.org/6.2.2-013-usb-gadget-u_serial-Add-null-pointer-check-in-g.patch ######################################################## # Build fixes that apply to the vanilla kernel too.